Third Circuit Upholds FTC’s Data Security Authority in FTC v. Wyndham

Tuesday, August 25, 2015

The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act. The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks the authority to regulate cybersecurity practices, finding instead that neither Congressional legislation nor the FTC’s prior statements contradicted the FTC’s attempts to assert its cybersecurity powers. The court also held that Wyndham received fair notice of the potential application of the unfairness standard under Section 5 to data security practices, rejecting Wyndham’s argument that it should receive notice of which specific cybersecurity practices are required to satisfy the Section 5 standard. Finally, the court held that the FTC sufficiently alleged a “substantial injury” to consumers, as required under Section 5’s unfairness prong. An analysis of the highlights of the Third Circuit’s opinion is available after the jump.

After the district court denied Wyndham’s motion to dismiss, the Third Circuit granted interlocutory appeal on two issues: (1) whether the FTC has authority to regulate cybersecurity under the unfairness prong of its Section 5 authority, and (2) if the FTC has such authority, whether Wyndham received fair notice that its cybersecurity practices could fall short of this standard. On the first issue, the Third Circuit rejected Wyndham’s arguments that the FCRA, GLBA, and COPPA could be read to exclude cybersecurity from the reach of the FTC’s Section 5 authority. According to Wyndham, each of these statutes contains an explicit grant of authority over cybersecurity issues to the FTC — an addition that would be unnecessary if, as the FTC claimed, it has pre-existing authority over cybersecurity under Section 5. The Third Circuit rejected this argument, noting that the FCRA, GLBA, and COPPA each require the FTC to take specific actions, such as issuing regulations, that go above and beyond the bare requirements of Section 5. As such, none of these statutes contradict the position that the FTC has Section 5 authority over cybersecurity issues. The Third Circuit also rejected Wyndham’s contention that the FTC’s prior statements disclaimed regulatory authority over cybersecurity practices, finding that these statements acknowledged limitations in the FTC’s jurisdiction (such as the inability to regulate what data companies collect) that do not prevent the FTC from regulating cybersecurity practices.

Having concluded that the FTC’s Section 5 authority encompasses cybersecurity, the Third Circuit also rejected Wyndham’s argument that the FTC’s failure to provide “fair notice” of required cybersecurity practices under Section 5 violated the Due Process Clause. As part of this argument, Wyndham highlighted the alleged lack of any concrete guidance from the FTC as to what, exactly, constituted “unfair” cybersecurity practices, and claimed that the FTC failed to define the cybersecurity practices required under Section 5 with “ascertainable certainty.” However, the Third Circuit held that Wyndham’s preferred “ascertainable certainty” standard cannot apply if, as here, an agency has not issued a relevant “rule, adjudication, or document” that merits Chevron deference. Where no such deference is required, the court can only engage in the “ordinary judicial interpretation of a civil statute.” Under this standard, the Third Circuit held that Wyndham was not entitled to fair notice of the specific cybersecurity practices required by the FTC under Section 5. Instead, Wyndham was only entitled to fair notice of the general standard that is applicable to all unfairness actions (not just cybersecurity) under the plain text of Section 5.

Turning to the second part of the fair notice inquiry, the court held that Wyndham had fair notice that its alleged conduct could “fall within the meaning of” the text of Section 5. Although it acknowledged that the text of Section 5 is “far from precise,” the court held that the statute provided notice to companies that the “relevant inquiry here is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” Noting that Wyndham had been hacked three times, the court held that at a minimum, Wyndham was on notice after the second hack that a court could find that its cybersecurity practices failed the cost-benefit analysis under Section 5. The court also noted that the FTC has “counseled against many of the specific practices alleged here,” both in its informal guidance and its complaints and consent decrees raising unfairness claims based on inadequate cybersecurity practices. The court emphasized the presence of similar allegations in at least five of the FTC’s enforcement actions, including one enforcement action in 2006 against CardSystems Solutions that contained almost identical allegations. Even though many of these decisions alleged a collection of violations under Section 5 and did not specify which violations were necessary or sufficient for an unfairness finding, the Third Circuit held that these enforcement actions could help companies gauge the possibility of liability under Section 5.

In addition, the Third Circuit rejected Wyndham’s argument that it could not have acted unfairly when it was victimized by hackers, finding that Wyndham’s alleged conduct did not fall outside of the “plain meaning” of “unfair.” Notably, the Third Circuit held that an unfairness claim could be brought “on the basis of likely rather than actual injury.” Although Wyndham’s conduct may not have been “the most proximate cause of an injury” within the context of the data breaches it suffered, this distinction did not immunize Wyndham from liability for foreseeable harms arising from the breaches. While the FTC’s complaint did allege actual harm to consumers resulting from the Wyndham breaches in the form of over $10 million in fraudulent charges, this language could allow the FTC to continue bringing enforcement actions where no “actual” harm to consumers exists.

Caleb Skeath is an associate in the firm's Washington, DC office. He is a member of the Privacy & Data Security, Litigation, and White Collar Defense & Investigations practice groups. Mr. Skeath is a member of the Virginia Bar. He is currently not admitted in the District of Columbia, but is supervised by principals of the firm.

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.